Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerabilities in the apache/bookkeeper-4.9.2 image #2387

Closed
padma81 opened this issue Jul 28, 2020 · 13 comments
Closed

Security vulnerabilities in the apache/bookkeeper-4.9.2 image #2387

padma81 opened this issue Jul 28, 2020 · 13 comments

Comments

@padma81
Copy link

padma81 commented Jul 28, 2020

BUG REPORT
A security scanner has reported the following CVEs in the apache/bookkeeper:4.9.2 image.

Component Current Version CVE Severity Version to be upgraded to References
Apache log4j 1.2.17 CVE-2017-5645 CRITICAL 2.8.2 https://nvd.nist.gov/vuln/detail/CVE-2017-5645
Apache log4j 1.2.17 CVE-2019-17571 CRITICAL 2.8.2 https://nvd.nist.gov/vuln/detail/CVE-2019-17571
https://logging.apache.org/log4j/1.2/index.html
Java Platform Standard Edition (JRE) (J2RE) 8u102 CVE-2016-5556 CRITICAL 8u241
Java Platform Standard Edition (JRE) (J2RE) 8u102 CVE-2016-5568 CRITICAL 8u241
Java Platform Standard Edition (JRE) (J2RE) 8u102 CVE-2016-5582 CRITICAL 8u241
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server 9.4.5.v20170502 CVE-2017-7657 CRITICAL 9.4.11 https://www.eclipse.org/jetty/security-reports.html
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server 9.4.5.v20170502 CVE-2017-7658 CRITICAL 9.4.11 https://www.eclipse.org/jetty/security-reports.html
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server 9.4.5.v20170502 CVE-2018-12538 CRITICAL 9.4.11 https://www.eclipse.org/jetty/security-reports.html
Netty Project 3.10.1.Final CVE-2019-20444 CRITICAL 4.1.44.Final netty/netty#9866
https://github.com/netty/netty/milestone/218?closed=1
Netty Project 3.10.1.Final CVE-2019-20445 CRITICAL 4.1.44.Final netty/netty#9861
https://github.com/netty/netty/milestone/218?closed=1
OpenLDAP 2.4.44 CVE-2019-13565 HIGH 2.4.48 https://access.redhat.com/security/cve/CVE-2019-13565
https://bugzilla.redhat.com/show_bug.cgi?id=1730477
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
Python programming language 2.7.5 CVE-2018-14647 HIGH 2.7.5-86.el7.x86_64 https://access.redhat.com/security/cve/CVE-2018-14647
https://access.redhat.com/errata/RHSA-2019:2030
Python programming language 2.7.5 CVE-2019-10160 CRITICAL 2.7.5-80.el7_6.x86_64 https://access.redhat.com/security/cve/CVE-2019-10160
https://access.redhat.com/errata/RHSA-2019:1587
Python programming language 2.7.5 CVE-2019-16056 HIGH 2.7.5-88.el7.x86_64 https://access.redhat.com/security/cve/CVE-2019-16056
https://access.redhat.com/errata/RHSA-2020:1131
Python programming language 2.7.5 CVE-2019-5010 HIGH 2.7.5-86.el7.x86_64 https://access.redhat.com/security/cve/CVE-2019-5010
https://access.redhat.com/errata/RHSA-2019:2030
Python programming language 2.7.5 CVE-2019-9948 CRITICAL 2.7.5-86.el7  https://access.redhat.com/security/cve/CVE-2019-9948
https://access.redhat.com/errata/RHSA-2019:2030
avahi 0.6.31 CVE-2017-6519 CRITICAL 0.6.31-20.el7.x86_64 https://access.redhat.com/security/cve/CVE-2017-6519
https://access.redhat.com/errata/RHSA-2020:1176
elfutils 0.176 CVE-2018-16402 CRITICAL 0.176-2.el7 https://access.redhat.com/security/cve/CVE-2018-16402
https://access.redhat.com/errata/RHSA-2019:2197
jackson-databind 2.9.7 CVE-2018-19360 CRITICAL 2.9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-19360
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind 2.9.7 CVE-2018-19361 CRITICAL 2.9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-19361
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind 2.9.7 CVE-2018-19362 CRITICAL 2.9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-19362
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind 2.9.7 CVE-2019-14379 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-14379
FasterXML/jackson-databind#2387
jackson-databind 2.9.7 CVE-2019-14540 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-14540
FasterXML/jackson-databind#2410
jackson-databind 2.9.7 CVE-2019-14892 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-14892
FasterXML/jackson-databind#2462
jackson-databind 2.9.7 CVE-2019-14893 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-14893
FasterXML/jackson-databind#2469
jackson-databind 2.9.7 CVE-2019-16335 CRITICAL 2.9.10.1 https://nvd.nist.gov/vuln/detail/CVE-2019-16942
FasterXML/jackson-databind#2478
jackson-databind 2.9.7 CVE-2019-16942 CRITICAL 2.9.10.1 https://nvd.nist.gov/vuln/detail/CVE-2019-16942
FasterXML/jackson-databind#2478
jackson-databind 2.9.7 CVE-2019-16943 CRITICAL 2.9.10.1 https://nvd.nist.gov/vuln/detail/CVE-2019-16943
FasterXML/jackson-databind#2478
jackson-databind 2.9.7 CVE-2019-17267 CRITICAL 2.9.10 https://nvd.nist.gov/vuln/detail/CVE-2019-17267
FasterXML/jackson-databind#2460
jackson-databind 2.9.7 CVE-2019-17531 CRITICAL 2.9.10.1 https://nvd.nist.gov/vuln/detail/CVE-2019-17531
FasterXML/jackson-databind#2498
jackson-databind 2.9.7 CVE-2019-20330 CRITICAL 2.9.10.2 https://nvd.nist.gov/vuln/detail/CVE-2019-20330
FasterXML/jackson-databind#2526
jackson-databind 2.9.7 CVE-2020-8840 CRITICAL 2.9.10.3 https://nvd.nist.gov/vuln/detail/CVE-2020-8840
FasterXML/jackson-databind#2620
systemd 219 CVE-2018-15686 CRITICAL 219-67.el7_7.4 https://access.redhat.com/security/cve/CVE-2018-15686
https://access.redhat.com/errata/RHSA-2019:2091
systemd-libs 219 CVE-2018-15686 CRITICAL 219-67.el7_7.4 https://access.redhat.com/security/cve/CVE-2018-15686
https://access.redhat.com/errata/RHSA-2019:2091

Steps to reproduce the behavior:

  1. Scan the apache/bookkeeper:4.9.2 with the help of a security scanner.

Expected behavior
The scanner should not report any vulnerabilities, that are already fixed.

Screenshots
NA

Additional context
NA

@padma81
Copy link
Author

padma81 commented Jul 28, 2020

Even though, for Java, the upgraded version is mentioned as 8u241, it is better to to upgrade to the latest Java 8 security patch available.

@eolivelli
Copy link
Contributor

In my opinion it is time to switch to JDK11 for 4.12.0

cc @ravisharda @sijie @jiazhai @merlimat

@sijie
Copy link
Member

sijie commented Jul 30, 2020

@eolivelli +1 from me. Although we also need to consider that Pulsar is using JDK8.

@jiazhai
Copy link
Member

jiazhai commented Jul 30, 2020

+1

@ravisharda
Copy link
Contributor

Pravega also supports Java 8 as of now. Switching to Java 11 looks good to me, as long as it also continues to work with Java 8.

@padma81
Copy link
Author

padma81 commented Oct 7, 2020

It would be really helpful if anyone could provide an update on this issue.

@eolivelli
Copy link
Contributor

In my opinion we should work in these areas:

  • update the base Docker image
  • move to JDK11
  • update jackson-databind dependencies
  • Apache log4j comes from ZooKeeper project probably, but probably we could drop it
  • update Netty to latest version

@nicoloboschi @Ghatage @mino181295 do you have time to pick up this items ? dependency upgrade / docker image upgrades

@eolivelli
Copy link
Contributor

I am trying to upgrade to JDK11 here #2433

@Ghatage
Copy link
Contributor

Ghatage commented Oct 12, 2020

@eolivelli The requirement for netty is to be at 4.1.44-Final at the least.
It seems we are already at netty 4.1.50-Final which happened just a month ago so I think we are good on that for future releases. Should I backport these changes to branch-4.9?

Same with jackson-databind dependency.

Also what do you recommend for logging? We use SLF4J over log4j, and even the latest SLF4J is lagging behind at 1.7.30. I couldn't find the change log for the release either.

@eolivelli
Copy link
Contributor

I am not sure we are going to cut new releases out of branch-4.9.
It is very old, probably it may have sense to update it on branch-4.10.

Btw if there is an interest in making this update let's do it.

eolivelli added a commit that referenced this issue Oct 16, 2020
Descriptions of the changes in this PR:
- Update "master" docker image to BK 4.11.0
- Update to OpenJDK11 the main Docker image and the Docker image used for integration tests
- We are not using "JRE" because it does not bundle jshell and our script detects the presence of JDK11+ from the presence of file "jshell"

Master Issue: #2387


Reviewers: Ravi Sharda <None>, Jia Zhai <[email protected]>

This closes #2433 from eolivelli/fix/test-jdk11-upgrade-docker
eolivelli added a commit that referenced this issue Oct 16, 2020
Descriptions of the changes in this PR:
- Update "master" docker image to BK 4.11.0
- Update to OpenJDK11 the main Docker image and the Docker image used for integration tests
- We are not using "JRE" because it does not bundle jshell and our script detects the presence of JDK11+ from the presence of file "jshell"

Master Issue: #2387

Reviewers: Ravi Sharda <None>, Jia Zhai <[email protected]>

This closes #2433 from eolivelli/fix/test-jdk11-upgrade-docker

(cherry picked from commit 83dec6e)
Signed-off-by: Enrico Olivelli <[email protected]>
@pjfanning
Copy link

would it be possible to remove the usage of log4j v1? - it is end-of-life and has numerous security issues that will not be fixed

@pjfanning
Copy link

#2816 seems to sort out log4j - but the latest official release (4.14.4) still has log4jv1 dependency (via slf4j-log4j12) - so maybe a new release is justified

https://repo1.maven.org/maven2/org/apache/bookkeeper/bookkeeper-server/4.14.4/bookkeeper-server-4.14.4.pom

@shoothzj
Copy link
Member

@pjfanning I think we have already remove slf4j-log4j12 and update to java11. We can close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants